b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n      Information Technology Management\n       Letter for the FY 2009 U.S. Customs\n           and Border Protection (CBP)\n            Financial Statement Audit\n                     (Redacted)\n\n\n\n\nOIG-10-109                           August 2010\n\x0c                                                            Office ofInspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 25028\n\n\n\n\n                                                            Homeland\n                                                            Security\n                                           AUG 111010\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office ofInspector General (OIG) was established\nby the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the u.s. Customs and\nBorder Protection component of the FY 2009 DHS financial statement audit as of September 30,\n2009. It contains observations and recommendations related to information technology internal\ncontrol that were not required to be reported in the financial statement audit report, November\n13,2009 and represents the separate restricted distribution report mentioned in that report. The\nindependent accounting firm KPMG LLP (KPMG) performed the audit ofCBP\'s FY 2009\nfinancial statements and prepared this IT management letter. KPMG is responsible for the\nattached IT management letter dated January 22,2010, and the conclusions expressed in it. We\ndo not express opinions on DHS\' financial statements or internal control or conclusion on\ncompliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                     Assistant Inspector General\n                                     Information Technology Audits\n\x0c                                  KPMG LLP\n                                  2001 M Street, NW\n                                  Washington, DC 20036\n\n\nJanuary 6, 2010\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nCustoms and Border Protection\n\nLadies and Gentlemen:\nWe have audited the consolidated balance sheets of the Customs and Border Protection (CBP), a\ncomponent of the U.S. Department of Homeland Security (DHS), as of September 30, 2009 and 2008,\nand the related consolidated statements of net cost, changes in net position, custodial activity, and the\ncombined statement of budgetary resources (referred to herein as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d)\nfor the years then ended. In planning and performing our audit of the consolidated financial\nstatements of CBP, in accordance with auditing standards generally accepted in the United States of\nAmerica, we considered CBP\xe2\x80\x99s internal control over financial reporting (internal control) as a basis for\ndesigning our auditing procedures for the purpose of expressing our opinion on the consolidated\nfinancial statements but not for the purpose of expressing an opinion on the effectiveness of CBP\xe2\x80\x99s\ninternal control. Accordingly, we do not express an opinion on the effectiveness of CBP\xe2\x80\x99s internal\ncontrol. In planning and performing our fiscal year 2009 audit, we considered CBP\xe2\x80\x99s internal control\nover financial reporting by obtaining an understanding of the design effectiveness of CBP\xe2\x80\x99s internal\ncontrol, determining whether internal controls had been placed in operation, assessing control risk, and\nperforming tests of controls as a basis for designing our auditing procedures for the purpose of\nexpressing our opinion on the consolidated financial statements. To achieve this purpose, we did not\ntest all internal controls relevant to operating objectives as broadly defined by the Federal Managers\xe2\x80\x99\nFinancial Integrity Act of 1982. The objective of our audit was not to express an opinion on the\neffectiveness of CBP\xe2\x80\x99s internal control over financial reporting. Accordingly, we do not express an\nopinion on the effectiveness of CBP\xe2\x80\x99s internal control over financial reporting.\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent, or\ndetect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a\ncombination of deficiencies, in internal control that is less severe than a material weakness, yet\nimportant enough to merit attention by those charged with governance. A material weakness is a\ndeficiency, or a combination of deficiencies, in internal control, such that there is a reasonable\npossibility that a material misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or\ndetected and corrected on a timely basis.\nOur audit of CBP as of, and for the year ended, September 30, 2009 disclosed a material weakness in\nthe areas of Information Technology (IT) access controls, security management, and segregation of\nduties. These matters are described in the IT General Control Findings by Audit Area section of this\nletter.\nThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nJanuary 6, 2010. This letter represents the separate restricted distribution letter mentioned in that\nreport.\n\n\n\n\n                                   KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                   member firm of KPMG International, a Swiss cooperative.\n\x0cThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement and communicated through a Notice of Finding and Recommendation (NFR), and are\nintended For Official Use Only. Our audit procedures are designed primarily to enable us to form an\nopinion on the consolidated financial statements, and therefore may not bring to light all weaknesses\nin policies or procedures that may exist. We aim to use our knowledge of related to CBP gained\nduring our audit engagement to make comments and suggestions that are intended to improve internal\ncontrol over financial reporting or result in other operating efficiencies.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key CBP financial systems and IT infrastructure within the scope of the FY 2009 CBP\nconsolidated financial statement audit in Appendix A; a description of each internal control finding in\nAppendix B; and the current status of the prior year NFRs in Appendix C. Our comments related to\ncertain additional matters have been presented in a separate letter to the Office of Inspector General\nand the CBP Chief Financial Officer dated January 6, 2010.\n\nThis communication is intended solely for the information and use of DHS and CBP management,\nDHS Office of Inspector General, OMB, U.S. Government Accountability Office, and the U.S.\nCongress, and is not intended to be and should not be used by anyone other than these specified\nparties.\n\n\n\n\nVery truly yours,\n\x0c                              Department of Homeland Security\n                             U.S. Customs and Border Protection\n                          Information Technology Management Letter\n                                   September 30, 2009\n\n\n\n                                    TABLE OF CONTENTS\n \n\n\n                                                                                               Page\n\nObjective, Scope, and Approach                                                                  1\n \n\n\nSummary of Findings and Recommendations                                                         2\n \n\n\nIT General Control Findings by Audit Area                                                       3\n \n\n\n    Findings Contributing to a Significant Deficiency in IT                                     3\n\n\n       Access Controls                                                                          3\n \n\n\n       Security Management                                                                      4\n\n\n       Segregation of Duties                                                                    5\n\n\n    Other Findings in IT General Controls                                                       5\n\n\n       After-Hours Physical Security Testing                                                    5\n\n\n       Social Engineering Testing                                                               6\n \n\n\nApplication Control Findings                                                                    10\n \n\n\nManagement\xe2\x80\x99s Comment and OIG Response                                                           10\n \n\n                                 APPENDICES\n \n\n\nAppendix                                        Subject                                        Page\n\n            Description of Key Financial Systems and IT Infrastructure within the Scope of \n\nA                                                                                               11\n            the FY 2009 CBP Financial Statement Audit\n\n\nB           FY 2009 Notices of IT Findings and Recommendations                                  13\n\n\n\n                 - Notices of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings     14\n \n\n\n            Status of Prior Year Notices of Findings and Recommendations and Comparison\nC                                                                                               29\n\n            to Current Year Notices of Findings and Recommendations\n\n\nD           Management\xe2\x80\x99s Comment                                                                31\n \n\n\x0c                     Department of Homeland Security\n                    U.S. Customs and Border Protection\n                 Information Technology Management Letter\n                          September 30, 2009\n\nE   Report Distribution                                     33\n\x0c                               Department of Homeland Security\n                              U.S. Customs and Border Protection\n                           Information Technology Management Letter\n                                    September 30, 2009\n\n                      OBJECTIVE, SCOPE, AND APPROACH\nWe have audited the consolidated balance sheets of the United States (U.S.) Department of Homeland\nSecurity\xe2\x80\x99s (DHS) U.S. Customs and Border Protection (CBP) as of September 30, 2009, and related\nconsolidated statements of net cost, changes in net position, custodial activity, and the combined\nstatements of budgetary resources (hereinafter, referred to as \xe2\x80\x9cconsolidated financial statements\xe2\x80\x9d) for\nthe years then ended. The overall objective of our audit was to evaluate the effectiveness of\nInformation Technology (IT) general controls of CBP\xe2\x80\x99s financial processing environment and related\nIT infrastructure as necessary to support the engagement. The Federal Information System Controls\nAudit Manual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis\nof our audit as it relates to the IT general control assessment at CBP. The scope of the IT general\ncontrols assessment is described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of the\nfinancial audit. FISCAM also provides guidance to IT auditors when considering the scope and extent\nof review that generally should be performed when evaluating general controls and the IT environment\nof a federal agency. FISCAM defines the following six control functions to be essential to the\neffective operation of the general IT controls environment.\n\n\xe2\x80\xa2\t Security management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of activity\n   for managing risk, developing security policies, assigning responsibilities, and monitoring the\n   adequacy of computer-related security controls.\n\xe2\x80\xa2\t Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and\n   disclosure.\n\xe2\x80\xa2\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent the implementation of\n   unauthorized programs or modifications to existing programs.\n\xe2\x80\xa2\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations,\n   thus deterring unauthorized actions or access to assets or records.\n\xe2\x80\xa2\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices. The technical security testing was performed from within select CBP\nfacilities, and focused on test, development, and production devices that directly support CBP\nfinancial processing and key general support systems.\n\nIn addition to testing CBP\xe2\x80\x99s general control environment, we performed application control tests on a\nlimited number of CBP financial systems. The application control testing was performed to assess the\ncontrols that support the financial systems\xe2\x80\x99 internal controls over the input, processing, and output of\nfinancial data and transactions.\n\xe2\x80\xa2\t Application Controls (APC) - Application controls are the structure, policies, and\n    procedures that apply to separate, individual application systems, such as accounts\n    payable, inventory, payroll, grants, or loans.\n\n                                                   1\n Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                Department of Homeland Security\n                               U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                     September 30, 2009\n\n           SUMMARY OF FINDINGS AND RECOMMENDATIONS\nDuring fiscal year (FY) 2009, CBP took corrective action to address many prior-year IT control\ndeficiencies. For example, CBP made improvements in the tracking of security awareness completion,\nthe controlling of emergency and temporary access to Automated Commercial System (ACS), and the\nrecertification of National Data Center (NDC) Local Area Network (LAN) accounts. However, during\nFY 2009, we continued to identify IT general control deficiencies at CBP. The most significant\ndeficiencies from a financial statement audit perspective related to controls over access to programs\nand data. Collectively, the IT control deficiencies limited CBP\xe2\x80\x99s ability to ensure that critical financial\nand operational data were maintained in such a manner to ensure confidentiality, integrity, and\navailability. In addition, these deficiencies negatively impacted the internal controls over CBP\nfinancial reporting and its operation and we consider them to collectively represent a significant\ndeficiency for CBP under standards established by the American Institute of Certified Public\nAccountants (AICPA). The IT findings were combined into one significant deficiency regarding IT\nfor the FY 2009 audit of the CBP consolidated financial statements.\n\nAlthough we noted improvement, the conditions identified at CBP in FY 2008 have not been\ncompletely addressed because CBP still faces challenges related to the merging of numerous IT\nfunctions, controls, processes, and organizational resource shortages. During FY 2009, CBP took\nsteps to address these conditions. Despite these improvements, CBP needs further emphasis on the\nmonitoring and enforcement of access controls as well as implementing and enforcing the CBP-wide\nsecurity certification and accreditation (C&A) program. Many of the issues identified during our\nreview, which were also identified during FY 2008 and prior can be addressed through a more\nconsistent and effective security C&A program and security training program.\n\nWhile the recommendations made by us should be considered by CBP, it is the ultimate responsibility\nof CBP management to determine the most appropriate method(s) for addressing the deficiencies\nidentified based on their system capabilities and available resources.\n\n\n\n\n                                                    2\n Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                  Department of Homeland Security\n                                 U.S. Customs and Border Protection\n                              Information Technology Management Letter\n                                       September 30, 2009\n\n\n              IT GENERAL CONTROL FINDINGS BY AUDIT AREA \n\nFindings Contributing to a Significant Deficiency in IT at the Component Level\nConditions: In FY 2009, the following IT and financial system control deficiencies were identified at\nCBP. Several of the issues identified during our FY 2009 engagement were also identified during FY\n2008. The following IT and financial system control deficiencies contribute to a significant deficiency\nfor financial system security.\nAccess Controls \xe2\x80\x93 we noted:\n    1.\t The log of ACS access profile changes is not regularly reviewed by personnel independent\n        from those individuals that have made the changes.\n\n    2.\t CBP does not maintain authorizations for personnel that have administrator access to \n\n             .\n\n\n    3.\t Parameters for all mainframe audit and system utility logs are not configured to collect \n\n        appropriate data. \n\n\n    4.\t The following issues in regard to ACS Security Profile Change Log Procedures:\n\n               a.\t Procedures do not define how often the ACS security profile change audit logs are\n                   reviewed;\n               b.\t Procedures do not describe how evidence of the review process is created by the ACS\n                   Information System Security Officer (ISSO)/Independent Reviewer; and\n               c.\t Procedures do not define the sampling methodology that is used to select ACS profile\n                   change security logs for review.\n\n    5.\t Automated Commercial Environment (ACE) audit logs are not being reviewed on a regular\n        basis.\n\n    6.\t A total of 5 out of the 25 sampled NDC LAN audit logs were either blank or did not contain\n        pertinent audit log information.\n\n    7.\t           passwords were not required to be case sensitive for approximately half the fiscal year\n           and therefore did not meet CBP and DHS requirements.\n\n    8.\t Procedures on how to generate the system utility log reports for the Mainframe ISSO\xe2\x80\x99s review\n        do not exist.\n\n    9.\t The control option to limit the number of failed logon attempts to the                 was not \n\n        configured properly. \n\n\n    10.\t         was not configured to disable accounts after 45 days of inactivity for the full fiscal year,\n           as required by CBP and DHS policy.\n\n\n\n                                                       3\n Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                Department of Homeland Security\n                               U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                     September 30, 2009\n\n   11. ACS Information Security Agreements (ISAs) for all identified participating government\n       agencies have not been documented as required by CBP and DHS policies.\n\n   12. Initial access requests and approvals for 30 out of 45 individuals granted access to ACE during\n       FY 2009 could not be provided.\n\n   13.\t       portal accounts for separated employees are not timely removed as required by CBP and\n          DHS policy.\n\n   14. Access request documentation for individuals who had their ACS access profiles modified\n       during FY 2009 was not consistently maintained.\n\n   15. The review of SAP profile changes consisted of only a review of access deletes and did not\n       include a review of additions of new users and modification to user ID\xe2\x80\x99s (change/addition of\n       profiles).\n\n   16. Certain individuals were not appropriately limited to temporary/emergency\t          access as\n       required by the Chief Information Security Officer (CISO).\n\n   17. Certain individuals did not have CISO approval for their emergency access to \t    .\n       Additionally, it was noted that there was one instance in which the emergency access was\n       granted in error without authorization and three instances where the improper form was used\n       to request emergency/temporary access; and,\n\n   18. Formal access documentation for 3 ACE National Security Control Officers (SCOs) created in\n \n\n       FY 2009 and 37 ACE Field SCOs created in FY 2009 were reviewed. The following \n\n       exceptions were noted: \n\n\n             a.\t Two of the three National SCOs were not authorized and their roles were added in\n                 error.\n             b.\t One National SCO was approved through a manual recertification and initial\n                 authorization request and/or approval could not be provided.\n             c.\t Thirty-six of the thirty-seven field SCO\xe2\x80\x99s initial authorization and approvals could not\n                 be provided. While these accounts were approved through the account recertification\n                 process, it could not be determined who performed the recertification and what their\n                 authorization level was.\n\nSecurity Management \xe2\x80\x93 we noted:\n   1.\t A complete and accurate listing                                        . It was noted that the list\n       did not contain accurate                                         .\n\n   2.\t There are a significant number of non-                          workstations that do not appear\n       on the        listing of workstations, as maintained by the       administrators, and therefore\n       do not have                   installed.\n\n   3. A complete, up-to-date listing of all CBP workstations is not maintained.\n\n                                                    4\n Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                Department of Homeland Security\n                               U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                     September 30, 2009\n\n    4.\t Of forty-five selected individuals that had separated in FY 2009, 19 of these individuals did\n        not have a completed CBP-241 form on file.\n\n    5.\t Twenty-four out of 60,750 AD workstations did not have virus protection installed.\n        Additionally, it could not be determined what percentage of non-AD workstations have virus\n        protection installed.\n\n    6.\t A new directive was issued requiring the use of the Contractor Tracking System (CTS).\n        However, this directive refers to Department of Treasury policies, and therefore is outdated as\n        CBP is no longer a part of Treasury. Additionally, CBP-242 contractor separation forms were\n        not appropriately completed for 3 out of 45 selected CBP contractors.\n\n    7.\t Non-Disclosure Agreements (NDAs) for 8 out of 45 selected contractors were signed several\n        months after their hire date. Additionally, one NDA did not have a witness signature,\n        indicating that the NDA was not appropriately completed.\n\n    8.\t There are six individuals within the Office of Information Technology (OIT) that are in\n        critical sensitive positions and have not had their periodic reinvestigations completed within\n        the five year time frame.\n\n    9.\t The requirement to sign a Rules of Behavior (ROB) form is not implemented consistently.\n        Specifically, 10 out of 40 selected individuals with systems access do not have a signed ROB\n        form on record. Additionally, 11 individuals signed the ROB form months after the\n        requirement was implemented.\n\n    10. During our technical testing, configuration and patch management exceptions were identified\n        on AD Domain Controllers and hosts supporting the SAP and ACE applications.\n\n\nSegregation of Duties \xe2\x80\x93 we noted:\n    1.\t         is not currently configured to restrict access to least privilege for performing job\n          functionality as required by CBP policy.\n\n\n\nOther Findings in IT General Controls\nAfter-Hours Physical Security Testing\nWe performed after-hours physical security testing to identify risks related to non-technical aspects of\nIT security. These non-technical IT security aspects include physical access to media and equipment\nthat houses financial data and information residing on a CBP employee\xe2\x80\x99s/contractor\xe2\x80\x99s desk, which\ncould be used by others to gain unauthorized access to systems housing financial information. The\ntesting was performed at various CBP locations that process and /or maintain financial data as shown\nin the following table.\n\n\n\n                                                   5\n Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                 Department of Homeland Security\n                                U.S. Customs and Border Protection\n                             Information Technology Management Letter\n                                      September 30, 2009\n\n\n                Security Weaknesses Observed During After Hours Physical Security Testing\n                                                   CBP Locations\n\n                                                Building        Building        Building\n                                                                                                 Total\n                                                                                               Exceptions\n      Exceptions Noted       Building                                                           by Type\n Passwords                      0                7                2                  1             10\n For Official Use Only          1                4                8                 13             26\n (FOUO) Documents\n Keys/Badges                    3                2                1                 1                7\n Personally Identifiable        7                7                5                 3               22\n Information (PII)\n Server Names/IP                0                2                0                 0               2\n Addresses\n Unsecured Laptops              0                1                1                 1               3\n Unsecured External             0                0                0                 4               4\n Drives\n Credit Cards                   0                0                0                 2               2\n Classified Documents           0                0                0                 0               0\n Other \xe2\x80\x93U.S. Government         0                0                0                 1               1\n official passport\n Total Exceptions by           11               23               17                 26              77\n Location\n Source: CBP management and KPMG direct observation and inspection of work areas.\n\n\nNote that approximately 15 desks / offices were examined for each one of the columns in the above table.\n\n\n  Social Engineering Testing\n  Social engineering is defined as the act of attempting to manipulate or deceive individuals into taking\n  action that is inconsistent with DHS policies, such as divulging sensitive information or allowing /\n  enabling computer system access. The term typically applies to deception for the purpose of\n  information gathering, or gaining computer system access.\n\n   Locations       Total Called     Total Answered         Number of people who provided a password\n  CBP Sites             30                 10                                 2\n\n  Recommendations: We recommend that the CBP OIT, in coordination with the Office of Finance\n  (OF), make the following improvements to the CBP financial management systems and processes.\n  For access controls, we recommend that CBP:\n      1.\t Implement the review of ACS profile change logs on a periodic basis by an independent\n          reviewer and that CBP formalize the procedures in detail for the review of ACS security\n          profile change logs.\n\n\n                                                     6\n   Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                             Department of Homeland Security\n                            U.S. Customs and Border Protection\n                         Information Technology Management Letter\n                                  September 30, 2009\n\n  2.\t Implement procedures that have been developed to restrict access to mainframe administrative\n      capabilities and require documented authorization requests and approval for each person\n      requiring access to the mainframe administrative capabilities.\n\n  3.\t Properly configure mainframe audit and system utility logs to capture appropriate data for the\n      NDC Mainframe system.\n\n  4.\t Create detailed procedures that document the review process for ACS profile change\n      logs that includes the documented evidence of review.\n\n  5.\t Implement the procedures that have been established for reviewing ACE audit logs on a \n\n      weekly basis to be in compliance with DHS guidelines. \n\n\n  6.\t Conduct a more thorough review of NDC LAN audit logs to ensure that logs are capturing all\n      necessary information and that no blank logs exist. Further, CBP must ensure that audit logs\n      are configured properly to capture all information and activity on the system.\n\n  7.\t Create and implement formal procedures to document the generation of mainframe audit and\n      system utility logs.\n\n  8. Adjust the                  control option in the          to result in the immediate\n     suspension of any user who exceeds the specified number of violations, which should be set a\n     reasonably low number.\n\n  9.\t Modify        appropriately to ensure that accounts are disabled after 45 days of inactivity.\n\n  10. Develop a consistent and uniform naming scheme for all current and future ACS connections\n      to facilitate the identification of all existing ACS connections as well as to facilitate in the\n      reconciliation of existing ISAs. Once all ACS mission connections have been identified, that\n      the appropriate ISAs are produced.\n\n  11. Implement procedures to consistently document the access requests and approvals for any and\n      all access creations and changes to ACE users.\n\n  12. Investigate and implement a method to disable CBP \t        accounts for separated employees\n      and contractors upon their separation or before, as determined appropriate by       security\n      management and Human Resources.\n\n  13. Implement procedures to consistently document the access requests and approvals for any and\n      all access creations and changes to ACS user profiles.\n\n  14. Implement review of \t      access change logs on a periodic basis by an independent reviewer\n      and that CBP modify their procedures to ensure that all types of access changes (adds, deletes\n      and modifications) are reviewed to ensure that appropriate requests and approvals were\n      documented.\n\n\n\n                                                  7\nInformation Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                Department of Homeland Security\n                               U.S. Customs and Border Protection\n                            Information Technology Management Letter\n                                     September 30, 2009\n\n   15. Formalize procedures around the process for granting temporary and emergency access to\n            developers to ensure that access to these sensitive roles is restricted appropriately.\n       Specifically, CBP should ensure controls are in place to confirm a user is authorized to be\n       granted the role and that the individual had not been granted that role more than authorized by\n       the Component CISO over a certain period of time.\n\n   16. Continue to implement processes to appropriately restrict and authorize access to temporary\n       and emergency roles within       and,\n\n   17. Develop and implement procedures to restrict access to the Field and National SCO roles and\n       require documented authorization requests and approval for each person requiring access to\n       the\n\nFor security management, we recommend that CBP:\n   1.\t Implement procedures to have                     regularly reviewed and updated by\n                                                      to ensure the most accurate data is in the   for\n       use by all of CBP.\n\n   2.\t Research, identify, and implement a method to consistently account for all CBP workstations\n       and perform regular reviews to ensure that all CBP workstations have Tivoli or some future\n       solution, appropriately applied.\n\n   3.\t Work with administrators across the country to ensure that new and existing workstations are\n       added to a centralized accounting structure such as AD or some other more appropriate\n       solution, if identified, to allow for all workstations to be accounted for in an appropriate\n       fashion.\n\n   4.\t Develop a standardized method of maintaining the CBP-241 forms to ensure that all forms for\n       all separating employees are completed in a timely manner and are easily accessible.\n\n   5.\t Research, identify, and implement a method to consistently account for all CBP workstations\n       and perform regular reviews to ensure that all CBP workstations have virus protection\n       installed and that it is regularly updated.\n\n   6.\t Review the current Customs Directive regarding separation procedures for CBP contractors\n       and update it to reflect the current operating environment. Additionally, CBP should require\n       the consistent and accurate completion of the CBP-242 forms for all separating contractors.\n\n   7.\t Implement a more consistent method of ensuring that contractors sign an NDA. Furthermore,\n       ensure that COTRs regularly review their contractor information and that there is an NDA for\n       each contract under their supervision.\n\n   8.\t Devote adequate resources to the completion of periodic background reinvestigations that are\n       due for all CBP personnel. Additionally, CBP should devote special attention to those\n       individuals in critical sensitive positions requiring initial or periodic reinvestigations.\n\n\n                                                  8\n Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                               Department of Homeland Security\n                              U.S. Customs and Border Protection\n                           Information Technology Management Letter\n                                    September 30, 2009\n\n    9.\t Implement a more consistent method of ensuring that all individuals with CBP systems access\n        sign a ROB form. Also, methods should be developed to ensure that individuals with access\n        to any and all CBP systems have a rules of behavior signed.\n\n    10. Review their information system security awareness programs to ensure that individuals are\n        adequately instructed and reminded of their roles in the protection of both electronic and\n        physical CBP data and hardware. Additionally, CBP employees and contractors should be\n        made especially aware of the need to protect personally identifiable information as well as\n        information marked \xe2\x80\x9cFor Official Use Only,\xe2\x80\x9d and,\n\n    11. Address the specific conditions identified in the finding related to configuration and patch \n\n        management deficiencies. \n\n\n\nFor segregation of duties, we recommend that:\n    1.\t The ACE Security Team continue to work with the Office of Finance to identify incompatible\n        roles and that procedures are developed as part of the access control process to ensure that\n        these role combinations are not granted to ACE users.\n\n\nCause/Effect: Several of these deficiencies were a result of either an inadequate allocation of resources\nto address prior year findings or only partial implementation of recommendations to prior year\nfindings. By not addressing the conditions noted above, the risk exists that deficiencies may be\nexploited, in either a singular fashion or in combination which might affect the availability,\nconfidentiality or integrity of CBP\xe2\x80\x99s financial systems and data.\n\n\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the Electronic\nGovernment Act of 2002, mandates that Federal entities maintain IT security programs in accordance with\nOffice of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST)\nguidance. OMB Circular No. A-130, Management of Federal Information Resources, and various NIST\nguidelines describe specific essential criteria for maintaining effective general IT controls. In addition\nOMB Circular No. A-127 prescribes policies and standards for executive departments and agencies to\nfollow in developing, operating, evaluating, and reporting on financial management systems. In closing,\nfor this year\xe2\x80\x99s IT audit we assessed CBP\xe2\x80\x99s compliance with DHS 4300A. Additionally, we assessed\nCBP\xe2\x80\x99s implementation of CBP policy, the Information Systems Security Policies and Procedures\nHandbook, version 1.3.\n\n\n\n\n                                                    9\n Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                              Department of Homeland Security\n                             U.S. Customs and Border Protection\n                          Information Technology Management Letter\n                                   September 30, 2009\n\n                       APPLICATION CONTROL FINDINGS\nDuring FY 2009, we noted that CBP is unable to prevent, or detect and correct excessive drawback\nclaims due to the inherent limitations     and the lack of controls therein. Additionally\n\n                                                                                             These\ncontrol deficiencies were presented to CBP management as a material weakness.\n\n\n           MANAGEMENT\xe2\x80\x99S COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from Customs and Border Protection\nmanagement. Generally, CBP management agreed with our findings and recommendations. CBP\nmanagement has developed a remediation plan to address these findings and recommendations. We\nhave included a copy of the comments in Appendix D.\n\nOIG Response\n\nWe agree with the steps that CBP management is taking to satisfy these recommendations.\n\n\n\n\n                                                10\n Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                           Appendix A\n\n                          Department of Homeland Security\n                         U.S. Customs and Border Protection\n                      Information Technology Management Letter\n                                 September 30, 2009\n\n\n\n\n                                   Appendix A \n\n\n Description of Key Financial Systems and IT Infrastructure within the \n\n         Scope of the FY 2009 CBP Financial Statement Audit \n\n\n\n\n\n                                         11\n \n\nInformation Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                          Appendix A\n\n                               Department of Homeland Security\n                              U.S. Customs and Border Protection\n                           Information Technology Management Letter\n                                      September 30, 2009\n\n            DESCRIPTION OF FINANCIAL SYSTEMS AND IT INFRASTRUCTURE\n\nBelow is a description of significant United States (U.S.) Customs and Border Protection (CBP)\nfinancial management systems and supporting information technology (IT) infrastructure included in\nthe scope of CBP\xe2\x80\x99s fiscal year (FY) 2009 Financial Statement Audit.\n\nLocations of Review: The CBP National Data Center (NDC) in\n\nKey Systems Subject to Audit:\n\xe2\x80\xa2\t Systems, Applications, and Products Release 3 (SAP R/3) - SAP is CBP\xe2\x80\x99s financial management\n   system that consists of a \xe2\x80\x98core\xe2\x80\x99 system, which supports primary financial accounting and reporting\n   processes, and a number of additional subsystems for specific operational and administrative\n   management functions. SAP is a client/server-based financial management system that was\n   implemented beginning in FY 2004 to ultimately replace the AIMS mainframe-based financial\n   system using a phased approach.\n\n\xe2\x80\xa2\t Automated Commercial System (ACS) \xe2\x80\x93 ACS is a collection of business process mainframe-based\n   systems used by CBP to track, control, and process all commercial goods, conveyances and private\n   aircraft entering the U.S. territory for the purpose of collecting import duties, fees, and taxes owed\n   to the Federal government. Key application software within ACS includes systems for data\n   input/output, entry and entry summary, and collection of revenue.\n\n\xe2\x80\xa2\t Automated Commercial Environment (ACE) \xe2\x80\x93 ACE is the commercial trade processing system\n   being developed by CBP to facilitate trade while strengthening border security. ACE is being\n   deployed in phases, with a final full deployment scheduled for FY 2010. As ACE is partially\n   implemented now and processes a significant amount of revenue for CBP, ACE was included in\n   full scope in the FY 2009 financial statement audit.\n\n\xe2\x80\xa2\t Seized Assets and Cases Tracking System (SEACATS) \xe2\x80\x93 Used for tracking seized assets, Customs\n   Forfeiture Fund, and fines and penalties.\n\n\n\n\n                                                   12\n Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                           Appendix B\n                          Department of Homeland Security\n                         U.S. Customs and Border Protection\n                      Information Technology Management Letter\n                                 September 30, 2009\n\n\n\n\n                                    Appendix B\n\n           FY 2009 Notices of Information Technology Findings\n                         and Recommendations\n\n\n\n\n                                         13\n \n\nInformation Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                          Appendix B\n                               Department of Homeland Security\n                              U.S. Customs and Border Protection\n                           Information Technology Management Letter\n                                      September 30, 2009\n\n\n\nNotices of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on the\nDepartment of Homeland Security (DHS) Independent Auditors\xe2\x80\x99 Report.\n\n      1 \xe2\x80\x93 Not substantial \n\n      2 \xe2\x80\x93 Less significant \n\n      3 \xe2\x80\x93 More significant \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of\nseverity for consolidated reporting purposes.\n\nThese rating are provided only to assist CBP in the development of its corrective action plans for\nremediation of the deficiency.\n\n\n\n\n                                                  14\n Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                                 Appendix B\n                                                Department of Homeland Security\n                                               U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n\n\n\n                                                                                                                                           Repeat     Risk\n   NFR #                       Condition                                            Recommendation                             New Issue\n                                                                                                                                            Issue    Rating\n               During testing, KPMG was informed that              KPMG recommends that CBP implement\n\n\n\n\n                                                                                                             \n\n               all data had not been completely captured           procedures to have             data regularly\n\n\n\n\n                                                               \n\n\n\n\n\n                                                                                                                 \n\n               from all organizations within CBP to                reviewed and updated by\n\n\n\n\n                                                      \n \n\n\n\n\n\n                                                                                            \n\n               ensure a complete and accurate listing                                                    to ensure the\n                                      Additionally,                most accurate data is in the\nCBP-IT-09-03   through inspection of data on current                              for use by all of CBP.                                     X         2\n               contractors, KPMG noted that there were\n\n\n\n\n                                                            \n\n               data validity issues in the system,\n                                                 \n\n\n\n               KPMG noted that                     is              KPMG recommends that CBP research, identify\n                                                     \n \n\n\n\n               installed on a significant majority of              and implement a method to consistently account for\n\n\n\n\n                                                                                                                           \n\n               workstations at CBP. These workstations             all CBP workstations and perform regular reviews\n                                                               \n\n\n\n\n\n                                                                                                                         \n \n\n               are on the                          system.         to ensure that all CBP workstations have      or\n                        \n\n\n\n\n\n               However, KPMG noted that there are a                some future solution, appropriately applied.\n                                                           \n\n\n\n\n\n               significant number of non-AD\nCBP-IT-09-12   workstations that do not appear on the                                                                                        X         2\n                       listing of workstations, as\n               maintained by the\n               We noted that these workstations do not\n               have                   installed as\n                                                 \n\n\n\n\n\n               required.\n                        \n\n\n\n\n\n                                                                            15\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                     Appendix B\n                                               Department of Homeland Security\n                                              U.S. Customs and Border Protection\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                               Repeat     Risk\n   NFR #                      Condition                                     Recommendation                         New Issue\n                                                                                                                                Issue    Rating\n               KPMG noted that while progress has been      KPMG recommends that CBP work with\n               made in accounting for all CBP               administrators across the country to ensure that\n               workstations, a complete and up-to-date      new and existing workstations are added to a\n               listing of all CBP workstations is not       centralized accounting structure such as AD or\n               maintained. Specifically, KPMG noted         some other more appropriate solution, if identified,\n               that workstations maintained within AD       to allow for all workstations to be accounted for in\n               can be accounted for in a reasonable         an appropriate fashion.\nCBP-IT-09-13   manner. However, workstations that are                                                                            X         2\n               not in AD are difficult to account for, as\n               they are not part of the Active Directory\n               structure and can only be identified when\n               connecting to the network, which may not\n               occur regularly (i.e., laptops, unused\n               equipment, etc).\n\n               KPMG noted that when changes to a            KPMG recommends that the review of these logs\n               user\xe2\x80\x99s Automated Commercial System           be implemented on a periodic basis by an\n               (ACS) access profile are performed, the      independent reviewer and that CBP formalize these\nCBP-IT-09-21   log of these events is not regularly         procedures in detail for the review of ACS security                  X         2\n               reviewed by personnel independent from       profile change logs.\n               those individuals that made the changes.\n\n               KPMG noted that authorizations are still     KPMG recommends that CBP implement\n               not being maintained for personnel that      procedures that have been developed to restrict\n               have administrator access to                 access to mainframe administrative capabilities and\n               Procedures have been implemented to          require documented authorization requests and\nCBP-IT-09-27                                                                                                                     X         2\n               require documented authorization             approval for each person requiring access to the\n               however evidence could not be provided       mainframe administrative capabilities.\n               that these procedures are being\n               implemented appropriately.\n\n\n\n\n                                                                     16\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                       Appendix B\n                                                Department of Homeland Security\n                                               U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                                 Repeat     Risk\n   NFR #                       Condition                                     Recommendation                          New Issue\n                                                                                                                                  Issue    Rating\n               KPMG selected 45 individuals that had        KPMG recommends that CBP develop a\n               separated in fiscal year (FY) 2009 and       standardized method of maintaining the CBP-241\n               noted that 19 of these individuals did not   forms to ensure that all forms for all separating\n               have a completed CBP-241 form on file.       employees are completed in a timely manner and\nCBP-IT-09-29   Additionally, KPMG noted that two            are easily accessible.                                                 X         2\n               forms provided for two different\n               individuals were incomplete and lacked a\n               supervisor\xe2\x80\x99s signature.\n\n               KPMG noted that 24 out of 60,750 AD          KPMG recommends that CBP research, identify\n               workstations, or 0.04 percent, did not       and implement a method to consistently account for\n               have antivirus installed, which is a         all CBP workstations and perform regular reviews\n               negligible amount. However, KPMG             to ensure that all CBP workstations have virus\n               could not determine what percentage of       protection installed and that it is regularly updated.\n               non-AD workstations have virus\nCBP-IT-09-34   protection installed, as non-AD                                                                                     X         2\n               workstations do not communicate with\n               the ePolicy Orchestrator system that is\n               used to maintain and update virus\n               protection across CBP workstations and\n               networks.\n\n\n\n\n                                                                     17\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                 Appendix B\n                                               Department of Homeland Security\n                                              U.S. Customs and Border Protection\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                           Repeat     Risk\n   NFR #                      Condition                                   Recommendation                       New Issue\n                                                                                                                            Issue    Rating\n               KPMG noted that a Customs Directive         KPMG recommends that CBP review the current\n               was provided as separation procedures for   Customs Directive and update it to reflect the\n               contractors and that this directive was     current operating environment. Additionally,\n               dated September 2001. The directive         KPMG recommends that CBP require the\n               references Treasury policies as source      consistent and accurate completion of the CBP-242\n               documentation. This directive is out of     forms for all separating contractors.\n               date, as CBP is no longer a part of the\n               Department of Treasury. A new directive\n               was issued requiring the use of the\n               Contractor Tracking System; however,\n               the new directive still refers to the old\nCBP-IT-09-41                                                                                                                 X         2\n               directive, which has not been updated.\n\n               Additionally, KPMG noted that CBP-242\n               contractor separation forms are not\n               completed consistently for separating\n               CBP contractors. Specifically, KPMG\n               noted that 3 separated contractors out of\n               45 selected had their forms completed\n               over one month after they separated from\n               CBP.\n\n\n\n\n                                                                   18\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                     Appendix B\n                                                Department of Homeland Security\n                                               U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                               Repeat     Risk\n   NFR #                       Condition                                     Recommendation                        New Issue\n                                                                                                                                Issue    Rating\n               While KPMG notes that progress has            KPMG recommends that CBP implement a more\n               been made in implementing procedures          consistent method of ensuring that contractors sign\n               requiring the signing of non-disclosure       an NDA. KPMG also recommends that COTRs\n               agreements, KPMG noted that non-              regularly review their contractors and ensure that\n               disclosure agreements are still not           there is an NDA for each contractor under their\n               consistently being signed by contractors      supervision.\n               at CBP. Specifically, KPMG noted that\nCBP-IT-09-44   non-disclosure agreements (NDAs) for 8                                                                            X         2\n               out of 45 selected contractors were signed\n               many months after their hire date.\n               Additionally, KPMG noted that one NDA\n               did not have a witness signature,\n               indicating the NDA was not appropriately\n               completed.\n\n               Parameters for all mainframe audit and        KPMG recommends that CBP properly configure\n               system utility logs                           mainframe audit and system utility logs to capture\n                                                             appropriate data for the National Data Center\n                                                   are not   (NDC) mainframe system.\n               configured to collect appropriate data.\nCBP-IT-09-45   Specifically, KPMG noted that one out of                                                                          X         2\n               the six mainframe audit and system utility\n               logs,                , did not produce any\n               data during the time of testing due to an\n               inaccurate filtering configuration.\n\n\n\n\n                                                                      19\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                    Appendix B\n                                                Department of Homeland Security\n                                               U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                              Repeat     Risk\n   NFR #                       Condition                                    Recommendation                        New Issue\n                                                                                                                               Issue    Rating\n               KPMG noted the following deficiencies        KPMG recommends that CBP create detailed\n               related to the ACS Security Audit Logs       procedures that document the review process for\n               procedures:                                  ACS profile change logs that include documented\n                                                            evidence of review.\n               \xe2\x80\xa2   Procedures do not define how often\n                   the ACS security profile change audit\n                   logs are reviewed.\n               \xe2\x80\xa2   Procedures do not describe the\nCBP-IT-09-48       documented how evidence of the                                                                               X         2\n                   review process is created by the ACS\n                   Information System Security Officer\n                   (ISSO)/Independent Reviewer.\n               \xe2\x80\xa2   Procedures do not define the\n                   sampling methodology that is used to\n                   select ACS profile change security\n                   logs for review.\n\n               KPMG noted that Automated                    KPMG recommends that CBP implement the\n               Commercial Environment (ACE) audit           procedures that have been established for reviewing\n               logs are not being reviewed on a regular     ACE audit logs on a weekly basis to be in\n               basis. KPMG noted that procedures have       compliance with DHS guidelines.\nCBP-IT-09-56   been established, which require that audit                                                            X                    2\n               logs and events be reviewed on a weekly\n               basis. However, at this time, procedures\n               have not been implemented effectively.\n\n\n\n\n                                                                    20\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                 Appendix B\n                                               Department of Homeland Security\n                                              U.S. Customs and Border Protection\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                             Repeat    Risk\n   NFR #                      Condition                                    Recommendation                        New Issue\n                                                                                                                              Issue   Rating\n               KPMG noted that 5 out of the 25 sampled     KPMG recommends that CBP conduct a more\n               audit logs did not contain any audit log    thorough review of audit logs to ensure that logs\n               information, such as login attempts,        are capturing all necessary information and that no\n               intruder detected, login failed, Access     blank logs exist. Further, CBP must ensure that\n               Control List (ACL) changed, object          audit logs are configured properly to capture all\n               activity, etc. KPMG did not receive audit   information and activity on the system.\n               log information for the following five\nCBP-IT-09-57   selected dates:                                                                                      X                   2\n               \xe2\x80\xa2 February 16, 2009\n               \xe2\x80\xa2 April 1, 2009\n               \xe2\x80\xa2 April 7, 2009\n               \xe2\x80\xa2 April 19, 2009\n               \xe2\x80\xa2 May 4, 2009\n\n               KPMG noted that            passwords were   As this condition was addressed during the course\n               not required to be case sensitive for a     of the audit fieldwork, KPMG has no further\n               period of time during our testing and       recommendation to CBP.\n               therefore did not meet CBP and DHS\nCBP-IT-09-58   requirements. Further testing has shown                                                              X                   2\n               that passwords currently are required to\n               be case sensitive and that issue has now\n               been resolved.\n\n               KPMG noted that formal procedures do        KPMG recommends that CBP create and\n               not exist that describe the mainframe       implement formal procedures to document the\n               audit process and how to generate the       generation of mainframe audit and system utility\nCBP-IT-09-59                                                                                                        X                   2\n               system utility log reports for the          logs.\n               mainframe ISSO\xe2\x80\x99s review.\n\n\n\n\n                                                                    21\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                    Appendix B\n                                                Department of Homeland Security\n                                               U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                                Repeat    Risk\n   NFR #                       Condition                                      Recommendation                        New Issue\n                                                                                                                                 Issue   Rating\n               KPMG noted that one user was allowed          KPMG recommends an adjustment to the Access\n               1,476 failed attempts to access a dataset     Response control option to result in the immediate\n               to which they were not authorized before      suspension of any user who exceeds the specified\n               their access was suspended in the             number of violations, which should be set at a\n                          . KPMG determined that the         reasonably low number of attempts.\nCBP-IT-09-60   control option in the security software,                                                                X                   2\n               which results in immediate suspension of\n               any user who exceeds the specified\n               number of violations, was not configured\n               properly.\n\n               KPMG noted that there are six individuals     KPMG recommends that CBP devote adequate\n               within Office of Information Technology       resources to the completion of periodic\n               (OIT) that are in critical sensitive          reinvestigations and initial investigations that are\n               positions and have not had their periodic     due for all CBP personnel. Additionally, KPMG\n               reinvestigations completed within the five    recommends that CBP devote special attention to\n               year time frame. Specifically, of these six   those individuals in critical sensitive positions\n               individuals, KPMG noted the following:        requiring initial or periodic reinvestigations.\n               \xe2\x80\xa2 Two individuals in critical positions\n                   had their reinvestigations completed a\nCBP-IT-09-61                                                                                                           X                   2\n                   year or longer later than they should\n                   have been.\n               \xe2\x80\xa2 Four individuals in critical positions\n                   should have had their reinvestigations\n                   completed and are several months\n                   late. Of these four individuals, one\n                   has not had his/her investigation\n                   status updated since August 2002.\n\n\n\n\n                                                                      22\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                        Appendix B\n                                                  Department of Homeland Security\n                                                 U.S. Customs and Border Protection\n                                              Information Technology Management Letter\n                                                         September 30, 2009\n\n                                                                                                                                    Repeat    Risk\n   NFR #                        Condition                                      Recommendation                           New Issue\n                                                                                                                                     Issue   Rating\n               Significant progress has been made in          KPMG recommends that CBP implement a more\n               requiring individuals with systems access      consistent method of ensuring that all individuals\n               to sign a rules of behavior before systems     with CBP systems access sign a ROB form.\n               use. KPMG noted however that the               KPMG also recommends that methods be\n               requirement to sign a rules of behavior        developed to ensure that individuals with access to\n               (ROB) form is not implemented                  any and all CBP systems have a ROB form signed.\n               consistently. Out of 40 individuals with\n               systems access across the country, 10\nCBP-IT-09-62                                                                                                               X                   2\n               individuals did not have a signed ROB\n               form on record. Additionally, 11\n               individuals signed the ROB form months\n               after the CBP Chief Information Officer\n               (CIO\xe2\x80\x99s) requirement to sign the ROB\n               form. These individuals have had access\n               during fiscal year 2009.\n\n               KPMG noted that            is not configured   KPMG recommends that CBP ensure that the\n               to disable accounts after 45 days of           Change Request to implement this control is\n               inactivity for the full fiscal year, as        completed, appropriately approved and\nCBP-IT-09-63                                                                                                               X                   2\n               required by CBP and DHS policy.                implemented to disable accounts after 45 days of\n                                                              inactive as required by CBP and DHS policy.\n\n               KPMG determined that Information               KPMG recommends that CBP develop a consistent\n               Security Agreements (ISAs) for all             and uniform naming scheme for all current and\n               identified participating government            future ACS connections to facilitate the\n               agencies have not been documented as           identification of all existing ACS connections as\nCBP-IT-09-64   required by CBP and DHS policies.              well as to facilitate in the reconciliation of existing      X                   2\n                                                              ISAs. Finally, KPMG recommends that once all\n                                                              ACS mission connections have been identified, that\n                                                              the appropriate ISAs be produced.\n\n\n\n\n                                                                       23\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                  Appendix B\n                                                Department of Homeland Security\n                                               U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                              Repeat    Risk\n   NFR #                       Condition                                     Recommendation                       New Issue\n                                                                                                                               Issue   Rating\n               KPMG inspected access request                 KPMG recommends that CBP implement\n               documentation for 45 individuals who          procedures to consistently document the access\n               were granted ACE access during FY             requests and approvals for any and all access\n               2009. Initial access requests and             creations and changes to ACE users.\n               approvals for 30 of these individuals\nCBP-IT-09-65   could not be provided. Although                                                                       X                   2\n               confirmation that access is appropriate\n               was provided for these 30 individuals,\n               access approvals prior to the creation of\n               their accounts was not maintained.\n\n               KPMG noted that CBP portal accounts           KPMG recommends that CBP investigate and\n               for separated employees are removed on a      implement a method to disable CBP         accounts\n               bi-weekly basis and are not removed on        for separated employees and contractors upon their\n               the day of the individual\xe2\x80\x99s separation as     separation or before, as determined appropriate by\n               required by CBP and DHS policy.                     security management and Human Resources.\nCBP-IT-09-66   Additionally, KPMG noted that one                                                                     X                   2\n               contractor who had        access had\n               separated from CBP but the account was\n               not disabled until some time after he/she\n               had separated.\n\n               KPMG inspected access request                 KPMG recommends that CBP implement\n               documentation for 45 individuals who          procedures to consistently document the access\n               had their      access profiles modified       requests and approvals for any and all access\n               during FY 2009. Access change requests        creations and changes to      user profiles.\n               and approvals for 14 of these individuals\nCBP-IT-09-67   could not be provided. Although                                                                       X                   2\n               confirmation that the access is appropriate\n               was provided for these 14 individuals,\n               access approvals prior to the modification\n               of the account were not maintained.\n\n\n\n                                                                     24\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                Appendix B\n                                                Department of Homeland Security\n                                               U.S. Customs and Border Protection\n                                            Information Technology Management Letter\n                                                       September 30, 2009\n\n                                                                                                                            Repeat    Risk\n   NFR #                      Condition                                     Recommendation                      New Issue\n                                                                                                                             Issue   Rating\n               During our technical testing, patch and      During our technical testing, patch and\n               configuration management exceptions          configuration management exceptions were\n               were identified on the                       identified in the\nCBP-IT-09-68                                                environment. The recommendations to address            X                   2\n               environment. These conditions can be         these conditions can be found in the table within\n               found in the table within the actual NFR.    the actual NFR.\n\n               KPMG inspected profile change reviews        KPMG recommends that the review of these access\n               performed by CBP management for              change logs is implemented on a periodic basis by\n               changes to SAP access profiles and noted     an independent reviewer and that CBP modify their\n               that the profile reviews were ineffective.   procedures to ensure that all types of access\n               Specifically, KPMG noted that only           changes (adds, deletes and modifications) are\n               access deletes were tested in the review.    reviewed to ensure that appropriate requests and\n               These deletes remove an individual\xe2\x80\x99s         approvals were documented.\n               access and do not increase an individual\xe2\x80\x99s\nCBP-IT-09-69   access. Additions of new users and                                                                  X                   2\n               modification to user ID\xe2\x80\x99s\n               (change/addition of profiles) were not\n               part of the selected access changes that\n               were reviewed. The reviews only\n               consisted of deleted accounts and did not\n               review any new accounts that had been\n               added during the review period.\n\n\n\n\n                                                                     25\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                       Appendix B\n                                                 Department of Homeland Security\n                                                U.S. Customs and Border Protection\n                                             Information Technology Management Letter\n                                                        September 30, 2009\n\n                                                                                                                                   Repeat    Risk\n   NFR #                       Condition                                       Recommendation                          New Issue\n                                                                                                                                    Issue   Rating\n               KPMG noted that a memo was issued by           KPMG recommends that procedures be formalized\n               the Component Chief Information                concerning the process for granting temporary and\n               Security Officer (CISO) to limit               emergency access to         developers to ensure that\n               temporary/emergency access              to     access to these sensitive roles is restricted\n               no more than four times per month.             appropriately. Specifically, KPMG recommends\n               KPMG noted that the policy was adjusted        that CBP ensure controls are in place to confirm a\n               to restrict access to 25 times per user, per   user is authorized to be granted the role and that the\nCBP-IT-09-70                                                                                                              X                   2\n               role, over a six month period. Taking into     individual had not been granted that role more than\n               account this new control, KPMG noted           authorized by the Component CISO over a certain\n               that during FY 2009, there was one             period of time.\n               individual who was granted access to a\n               temporary/emergency role 43 times over\n               a six month period.\n\n               KPMG noted that out of a selected 25           KPMG recommends that CBP continue to\n               instances in which emergency access was        implement processes to appropriately restrict and\n               granted to       users, 4 individuals did      authorize access to temporary and emergency roles\n               not have CISO approval for their               within     .\n               emergency access. Additionally, KPMG\n               noted that there was one instance in\nCBP-IT-09-71                                                                                                              X                   2\n               which the emergency access was granted\n               in error without authorization and three\n               instances in which an improper form was\n               used to request emergency/temporary\n               access.\n\n               KPMG noted that          is not currently      KPMG recommends that the           Security Team\n               configured to restrict access to least         continue to work with the Office of Finance to\n               privilege for performing job functionality     identify incompatible roles and that procedures are\nCBP-IT-09-72   as required by CBP policy.                     developed as part of the access control process to          X                   2\n                                                              ensure that these role combinations are not granted\n                                                              to ACE users.\n\n\n\n                                                                       26\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                                                                    Appendix B\n                                               Department of Homeland Security\n                                              U.S. Customs and Border Protection\n                                           Information Technology Management Letter\n                                                      September 30, 2009\n\n                                                                                                                                Repeat    Risk\n   NFR #                      Condition                                     Recommendation                          New Issue\n                                                                                                                                 Issue   Rating\n               KPMG inspected access documentation          KPMG recommends that CBP develop and\n               for 3 National Security Control Officers     implement procedures to restrict access to the Field\n               (SCOs) created in FY 2009 and 37 Field       and National SCO roles and require documented\n               SCOs created in FY 2009 and noted the        authorization requests and approval for each person\n               following exceptions:                        requiring access to ACE administrative capabilities.\n\n               \xe2\x80\xa2   Two of the three National SCOs were\n                   not authorized and their roles were\n                   added by mistake.\n               \xe2\x80\xa2   One National SCO was approved\n                   through a manual recertification and\nCBP-IT-09-73       initial authorization request and/or                                                                X                   2\n                   approval could not be provided.\n               \xe2\x80\xa2   Thirty-six of the thirty-seven Field\n                   SCO\xe2\x80\x99s initial authorization and\n                   approval could not be provided.\n                   Instead, a recertification was\n                   provided, though the recertification\n                   did not note who performed the\n                   recertification and what authorization\n                   they had to perform the\n                   recertification.\n\n               Multiple incidents of unprotected CBP        KPMG recommends that CBP review their\n               information systems and data were found      information system security awareness programs to\n               as a result of physical security             ensure that individuals are adequately instructed\n               walkthroughs. Additionally, passwords        and reminded of their roles in the protection of both\nCBP-IT-09-74   were obtained from two CBP employees         electronic and physical CBP data and hardware.             X                   2\n               through social engineering techniques.       Additionally, CBP employees and contractors\n               The details of this testwork can be viewed   should be made especially aware of the need to\n               in the actual NFR.                           protect personally identifiable information as well\n                                                            as information marked \xe2\x80\x9cFor Official Use Only.\xe2\x80\x9d\n\n\n                                                                     27\n               Information Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                            Appendix C\n                          Department of Homeland Security\n                         U.S. Customs and Border Protection\n                      Information Technology Management Letter\n                                 September 30, 2009\n\n\n\n\n                                  Appendix C\n\nStatus of Prior Year Notices of Findings and Recommendations,\n   and, Comparison to Current Year Notices of Findings and\n                       Recommendations\n\n\n\n\n                                         28\n \n\nInformation Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                      Appendix C\n\n                           Department of Homeland Security\n                          U.S. Customs and Border Protection\n                       Information Technology Management Letter\n                                  September 30, 2009\n\n\n   NFR No.                                                          Disposition\n                              Description\n                                                           Closed                 Repeat\n                Automated Commercial System (ACS)\n CBP-IT-08-02   Interconnection Security Agreements          X\n                (ISAs)\n CBP-IT-08-03   Contractor           Deficiencies                            CBP-IT-09-03\n\n                National Data Center (NDC) Local Area\n CBP-IT-08-08                                                X\n                Network (LAN) Audit Logs\n                Disabling of Inactive Accounts on NDC\n CBP-IT-08-09                                                X\n                LAN\n\n CBP-IT-08-12                    Installation                                CBP-IT-09-12\n\n                Complete List of Customs and Border\n CBP-IT-08-13                                                                CBP-IT-09-13\n                Protection (CBP) Workstations\n\n CBP-IT-08-16   Excessive ACS Emergency Access               X\n\n CBP-IT-08-18   Recertification of NDC LAN Accounts          X\n\n                Review of Changes to Security Profiles\n CBP-IT-08-21                                                                CBP-IT-09-21\n                in ACS\n                Review of Mainframe Security Violation\n CBP-IT-08-26                                                X\n                Logs\n                           Administrator Access\n CBP-IT-08-27                                                                CBP-IT-09-27\n                Authorization Weaknesses\n                NDC LAN Access Policies and\n CBP-IT-08-28                                                X\n                Procedures\n                Completion of CF-241 Forms for\n CBP-IT-08-29                                                                CBP-IT-09-29\n                Terminated Employees\n\n CBP-IT-08-34   Installation of Virus Protection                             CBP-IT-09-34\n\n CBP-IT-08-35   Configuration Management                     X\n\n CBP-IT-08-36   Patch Management                             X\n\n CBP-IT-08-37   Security Violation Review Process            X\n\n                Process for Reviewing Mainframe Audit\n CBP-IT-08-38                                                X\n                and System Utility Logs\n                Password Configuration Weakness in\n CBP-IT-08-39   Automated Commercial Environment             X\n                (ACE)\n                Information System Security Manager\n CBP-IT-08-40                                                X\n                (ISSM) Approval of SAP Emergency\n\n                                                   29\n \n\nInformation Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                     Appendix C\n\n                           Department of Homeland Security\n                          U.S. Customs and Border Protection\n                       Information Technology Management Letter\n                                  September 30, 2009\n\n   NFR No.                                                         Disposition\n                             Description\n                                                          Closed                 Repeat\n                and Temporary Access Authorizations\n\n                Weaknesses in the Process of Separating\n CBP-IT-08-41                                                               CBP-IT-09-41\n                CBP Contractors\n                Inadequate Resources at         for\n CBP-IT-08-43                                               X\n                Business Continuity Testing\n                Completion of Non Disclosure\n CBP-IT-08-44                                                               CBP-IT-09-44\n                Agreements for CBP Contractors\n                Log Configuration Weakness for NDC\n CBP-IT-08-45                                                               CBP-IT-09-45\n                Mainframe System\n                Review of Mainframe Audit and System\n CBP-IT-08-46                                               X\n                Utility Logs\n                Rules of Behavior Forms are Not Signed\n CBP-IT-08-47                                               X\n                Before Gaining Systems Access\n                Lack of Effective ACS Access Change\n CBP-IT-08-48                                                               CBP-IT-09-48\n                Log Review Procedures\n                Weak Initial Passwords Granted for New\n CBP-IT-08-49                                               X\n                Accounts in ACS\n                Inadequate Tracking of Security\n CBP-IT-08-50                                               X\n                Awareness Training Completion\n                No UNIX Hardware Maintenance\n CBP-IT-08-51                                               X\n                Procedures\n                Screensavers are Not Appropriately\n CBP-IT-08-52                                               X\n                Configured on the NDC LAN\n                Out of Date and Inaccurate ACS\n CBP-IT-08-53                                               X\n                Security Administrator Procedures\n\n CBP-IT-08-54   ACE Access Control Weaknesses               X\n\n                NDC LAN Accounts Created by\n CBP-IT-08-55                                               X\n                Unauthorized Parties\n\n\n\n\n                                              30\nInformation Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                             Appendix D\n\n                             Department of Homeland Security\n                            U.S. Customs and Border Protection\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n                                                                           1300 Pennsylvania Avenue NW\n                                                                           Washington, DC 20119\n\n\n\n                                                                           u.s. Customs and\n                                                                           Border Protection\n\n\n\n  , APR      8-111\n  MEMORANDUM FOR:               Frank Deffer\n                                Assistant Inspector General\n                                Infonnation Technology Audits\n\n  FROM:                         Charles Annstrong\n                                Assistant Commissioner\n                                Office of Infonnation and echnology\n\n  SUBJECT:                      Drafi Audit Report - Infonnation Technology Management Letter\n                                for the FY 2009 CBP Financial Statement Audit\n\n\n  In response to the memorandum dated March 10,2010 requesting written comments on the drafi\n  report, responses to jts recommendations, and identification of infonnation that should not be\n  publicly released, CBP OIT is providing the following comments on the remediat\'ion actions that\n  are being performed for the findings and recommendations from the FY 2009 audit.\n\n  General comments\n\n  CBP OrT concurs with the preface of the report and page 2 of the January 22. 2010 leller from\n  DIG which states that this management letter is FDUD and is the restricted distribution version\n  of the overall report.\n\n  Thirty NFRs were issued to CBP on during the FY 2009 audit (I I were reissues of FY 2008\n  findings and 19 were new). To date, remediation on 12 findings has been completed. Corrective\n  Action Plans (CAPs) for the remaining are either under development or are in progress and their\n  status is provided in the attachment.\n\n\n  Access Controls\n\n  CBP concurred with KPMG\'s 18 findings and recommendations in this area. Work on 12\n  findings has been completed and await review by the auditors. Four other CAPs are on track for\n  completion this fiscal year. Plans have not yet been received for two of the findings. The status\n  of each CAP is provided in the anaclunenl.\n\n\n\n\n                                                 31\n \n\nInformation Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                                               Appendix D\n\n                              Department of Homeland Security\n                             U.S. Customs and Border Protection\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\n\n\n  Security Management\n\n  eBP concurred with KPMO\'s ten findings and recommendations in this area. Remediation work\n  has been completed on one of the findings. The Offices of Administration, Internal Affairs and\n  Information Technology are cooperating to remediate the other nine findings which are expected\n  to be completed by the end of the fiscal year. The status for each CAP is provided in the\n  attachment.\n\n  Segregation of Duties\n\n  eBP concurred with KPMG\'s finding and recommendation in this area. CBP will continue the\n  collaboration between the ACE Security Team, the Office of Administration, and the Office ofField\n  Operations to identify and document incompatible roles. CBP will then develop a procedure to ensure\n  incompatible roles are not assigned to the same user, unless an exception is properly authorized. The\n  estimated completion date is July 15,2010.\n\n  After-Hours Physical Security and Social Engineering Testing\n\n  eBP concurred with KPMG\'s finding and recommendation in this area. The Office of\n  Information Technology in conjunction with the Office oflntemal Affairs and the Privacy Omce\n  is working to develop a plan to strengthen the security awareness programs for protecting\n  electronic and physical data, hardware, and personally identifiable information, as well as\n  information marked \'"For Official Use Only The estimated completion date is October 13,\n                                                ,It\n\n\n  2010.\n\n\n\n  If you have any questions concerning this response, please contact Judy Wright, Office of\n  Information and Technology Audit Liaison, at (703) 286-4155.\n\n\n\n\n                                                      32\n \n\nInformation Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0c                                                                              Appendix D\n\n                          Department of Homeland Security\n                         U.S. Customs and Border Protection\n                      Information Technology Management Letter\n                                 September 30, 2009\n\n\n                Report Distribution\n\n                Department of Homeland Security\n\n                Secretary\n                Deputy Secretary\n                General Counsel\n                Chief of Staff\n                Deputy Chief of Staff\n                Executive Secretariat\n                Under Secretary, Management\n                Acting Deputy Commissioner, CBP\n                DHS Chief Information Officer\n                DHS Chief Financial Officer\n                Chief Financial Officer, CBP\n                Chief Information Officer, CBP\n                Chief Information Security Officer\n                Assistant Secretary, Policy\n                Assistant Secretary for Public Affairs\n                Assistant Secretary for Legislative Affairs\n                DHS GAO OIG Audit Liaison\n                Chief Information Officer, Audit Liaison\n                Audit Liaison, CBP\n\n                Office of Management and Budget\n\n                Chief, Homeland Security Branch\n                DHS OIG Budget Examiner\n\n                Congress\n\n                Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\n                                           33\n \n\nInformation Technology Management Letter for the FY 2009 CBP Financial Statement Audit\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'